Thycotic’s Cyber Security Publication

RSA 2016 Cyber Terrorism Survey Results and Thoughts

April 4th, 2016

RSA 2016 was an incredibly busy show for us here at Thycotic. Between releasing a slew of new features for our flagship software Thycotic Secret Server, announcing our acquisition of Arellia, continuing to drive the Privileged Account Management space, and delivering multiple talks on how to solve many of the most common security and IT Operations problems faced by organizations out there, it was a week of non-stop activity for us! But, we didn’t stop there. We also had a chance to get out on the floor of the show and survey a number of attendees about their thoughts on the current state of our country’s preparedness and ability to deal with cyber terrorism. As the Executive Director of Security here, this is a topic that’s near and dear to my heart, and is a constant point of discussion for many of us in the Information Security community who are concerned about potential attacks from other nation-states against our government agencies, utility infrastructure, and private corporations.

Today, I’ll share the results of our survey from RSA 2016 and discuss a few of my thoughts on what these results from my fellow Information Security colleagues mean.

Here are the questions we asked RSA 2016 attendees:

1) Are terrorists capable of launching a catastrophic cyber attack on the U.S. within one year?
2) Do you think our military and business need to focus more on developing capabilities to defend against terrorist inspired cyber terrorism?
3) What is a softer target for cyber terrorism: U.S. private companies or government agencies?
4) How prepared are the majority of U.S. companies to defend against cyber terrorism attacks?
5) Do you think that the terrorist inspired cyber threat is over-hyped or not hyped enough?

We started with a fairly basic inquiry into whether or not people felt that terrorists were currently capable of launching a cyber attack against the U.S. in the next year. Over two-thirds of respondents stated they did feel that terrorists were this close, and over 80 percent agreed they could strike within two years. A consensus like this is not unusual these days, as more and more terrorist organizations have demonstrated increasing sophistication in their use of technology to communicate, social media to recruit new members, and of course, technical exploits and direct attacks against websites, corporate networks and government entities. What’s telling, though, is that while there is agreement among the vast majority of security professionals that a catastrophic sort of event can take place soon, most companies and government organizations aren’t moving fast enough to protect themselves from what seems to be an inevitable terrorist cyber attack. And nearly 90 percent of our respondents agree, stating that they believe the military and private sectors absolutely must focus more on developing and implementing defense strategies against this sort of terrorist-backed cyber attack.

While everyone agrees that action must be taken, opinions around who needs to take action first are a bit more split. Forty-nine percent of respondents felt that private sector companies are more susceptible to terrorist cyber attacks, while 42 percent said it was government organizations. This near even response is fairly telling in that the need to bolster defenses against cyber attacks is clearly not solely the domain of the private or the public sector, but both are in equal need of protection. Opinions about who may be slightly worse off clearly differs, but with no one side being the dominant response here, I think it’s safe to say that the need is being felt across every organization and corporation out there. This need is supported by our respondents when answering the fourth question in the survey concerning the perceived level of preparedness for a cyber attack by U.S. companies. Only 4.5 percent of respondents told us that they felt U.S. companies were secured against cyber attacks, while a whopping 92 percent felt that they were somewhat protected, but still needed more security, or completely behind the curve and not secured at all. Agreement like this is unusual, but reflects the serious need to improve security across all organizations in the United States seen by security professionals from all over.

So, the question becomes, if it’s so widely agreed that more needs to be done and that the threat of a terrorist-sponsored cyber attack is imminent (relatively speaking), why aren’t there more alarms and red flags being raised across the U.S. to work on improving our defenses? The answer, I believe, lies in the responses to our fifth and final question of the RSA 2016 survey. Seventy-two percent of our respondents stated that they did not believe the threat of a cyber attack posed by terrorists was being hyped enough through the various media, news and social networks. Education is a common theme within strong security programs, and there is an ever-present need to inform users everywhere of the dangers presented by the wide variety of cyber threats out there, but with terrorist threats, it becomes difficult to publicize due to the somewhat intangible nature of these efforts. Physical terrorism has a direct and visceral result that can be shown on TV networks and internet news sites, making it an easy thing to explain and inform about. Even broader cyber attacks like data breaches performed by criminal organizations against private companies and government organizations represent a tangible loss of information that can be expressed through the sheer volume of information lost and the number of individuals it impacts. But cyber terrorism is plotted in the shadows, and is seldom publicized due to either a lack of any entity wanting to take credit, or the need of the government or private organizations to keep any investigation related to terrorism quiet, typically under the auspice of a national security matter. It is this radio silence on the issue that helps keep the matter off the radar for most everyone and decreasing the sense of priority for protecting data and information assets from terrorist threats.

Fortunately, the sounds security practices that every organization should be focusing on anyway are the very steps that any company can take to improve and bolster their defenses against these types of attacks. Focusing on protecting data via strong encryption, managing administrator-level credentials to keep the “keys to the kingdom” out of the hands of attackers (still, the most common target of hackers, and the most frequent root cause of data breaches today), and more granularly controlling access across networks, both for staff and outsiders, are all very information-centric means of building a powerful defense-in-depth program that starts from the inside and protects all the way out. This approach of working from your critical assets outward to the rest of your networks, data centers and endpoints best aligns with today’s hybrid cloud model that so many organizations, including government agencies, have adopted in order to conduct their business in this hyper-connected world. The more we can all leverage this approach, the better prepared every company and government agency will be against a terrorist-sponsored cyber attack.